我现在要写一个驱动,中间要调用别的驱动中的未导出函数
是否可以像ring3下那样,找到地址再call?
如何可以,请帮看看这段代码有问题吗
如果不行,那又要怎么样才能实现这样的目的呢?
//得到 KeyboardClassServiceCallback函数在内核内的地址
ULONG GetKbdServiceCallBackAddr(PUCHAR Base, ULONG Size, ULONG DriverEntry, ULONG uIATAddr, ULONG ImageBase)
{
ULONG uKbdServiceCallBackAddr = 0;
ULONG nRetCode = FALSE;
ULONG i = 0;
PUCHAR Buffer = (PUCHAR)DriverEntry;
ULONG OpcodeLen = 0;
ULONG KeyboardAddDeviceExRoutine = 0;
PROCESS_ERROR(Size > DriverEntry - (ULONG)Base + 0x1200);
__try
{
i = 0;
while (i < 0x1000 )
{
if (Buffer[i] == 0xFF && //call dword ptr[xxxxx]
Buffer[i + 1] == 0x15)
{
if ( *(ULONG*)(Buffer + i + 2) == uIATAddr ) //判断是否是调用IoGetDeviceObjectPointer函数
{
break;
}
}
OpcodeLen = GetOpcodeLen(Buffer + i);
PROCESS_ERROR(OpcodeLen);
i += OpcodeLen;
}
PROCESS_ERROR(i < 0x1000);
while (i < 0x1000) //查找KeyboardAddDeviceEx函数地址
{
if (Buffer[i] == 0xE8)
{
KeyboardAddDeviceExRoutine = (ULONG)Buffer + i + *(ULONG*)(Buffer + i + 1) + 5;
break;
}
OpcodeLen = GetOpcodeLen(Buffer + i);
PROCESS_ERROR(OpcodeLen);
i += OpcodeLen;
}
PROCESS_ERROR(KeyboardAddDeviceExRoutine);
Buffer = (PUCHAR) KeyboardAddDeviceExRoutine;
i = 0;
while (i < 0x200)
{
if (Buffer[i] == 0xF && //Jnz xxxxx
Buffer[i + 1] == 0x84 &&
Buffer[i + 6] == 0x3B && //cmp eax, ecx
Buffer[i + 7] == 0xC1 &&
Buffer[i + 8] == 0x0F && //jnz xxxxx
Buffer[i + 9] == 0x85 &&
Buffer[i + 14] == 0x68 && //push KbdServiceCallBack
Buffer[i + 20] == 0xE8 //call KbdSendConnectRequest
)
{
uKbdServiceCallBackAddr = *(ULONG*)(Buffer + i + 14 + 1);
break;
}
OpcodeLen = GetOpcodeLen(Buffer + i);
PROCESS_ERROR(OpcodeLen);
i += OpcodeLen;
}
PROCESS_ERROR(i < 0x200);
PROCESS_ERROR(uKbdServiceCallBackAddr);
uKbdServiceCallBackAddr -= ImageBase;
Buffer = Base + uKbdServiceCallBackAddr;
i = 0;
while (i < 0x100)
{
if (Buffer[i] == 0xFF && //call dword ptr[xxxxx]
Buffer[i + 1] == 0x15
)
{
uKbdServiceCallBackAddr = (ULONG)(Buffer + i) - (ULONG)Base;